Pirate

**Name of the Vulnerable Software and Affected Versions** ArchiveBox (affected versions not specified) **Description** The issue affects users of the `wget` extractor who view the content it outputs. If a user is logged in to the ArchiveBox admin site in the same browser session and views an archived malicious page, malicious Javascript could act using the logged-in admin credentials, allowing it to add, remove, or modify snapshots, users, and perform other admin actions. For non-logged-in users, the impact is less severe, as malicious Javascript can only read archived content. The issue arises because all archived content is served from the same host and port as the admin panel, defeating browser security protections. **Recommendations** To mitigate the issue, disable the `wget` extractor by setting `archivebox config --set SAVE WGET=False`. Ensure you are always logged out when viewing archived content. Serve only a static HTML version of your archive to minimize the risk of exploitation. Disable the `dom` extractor by setting `archivebox config --set SAVE DOM=False` to further reduce the risk.